diff --git a/src/index.ts b/src/index.ts
index 79132ae..1581f88 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -38,7 +38,7 @@ const whitelist = [
 
 // THIS IS FOR TESTING ONLY
 const corsOptions = {
-    origin: "*",
+    origin: whitelist,
     credentials: true, // access-control-allow-credentials:true
     allowedHeaders: ["Content-Type", "Authorization"], // access-control-allow-headers
     optionSuccessStatus: 200,
diff --git a/src/modules/user/user.messages.ts b/src/modules/user/user.messages.ts
index 23f3bb4..506bd29 100644
--- a/src/modules/user/user.messages.ts
+++ b/src/modules/user/user.messages.ts
@@ -105,9 +105,9 @@ export const USER_MESSAGES = {
     WRONG_PASS_5_TIMES: "Entered wrong password over 5 times!",
 
     //token
-
     REFRESH_TOKEN_IS_REQUIRED: "Refresh token is required",
     OTP_IS_INCORRECT: "OTP is incorrect",
+  
     // block
     USER_HAS_BEEN_BLOCKED: "user has been blocked",
     USER_UNBLOCK_SUCCESSFULLY: "user unblock successfully",
diff --git a/src/modules/user/user.middlewares.ts b/src/modules/user/user.middlewares.ts
index 7ad5b6c..70a4283 100644
--- a/src/modules/user/user.middlewares.ts
+++ b/src/modules/user/user.middlewares.ts
@@ -33,6 +33,7 @@ import { PROTECT_MESSAGES } from "../protectRouting/protect.messages";
 import { checkRole, routesConfig } from "../protectRouting/protect.utils";
 import { LoginRequestBody, TokenPayload } from "./user.requests";
 import usersService from "./user.services";
+import jwt from "jsonwebtoken";
 //! Prevent db injection, XSS attack
 export const paramSchema: ParamSchema = {
     customSanitizer: {
@@ -1244,9 +1245,41 @@ export const refreshTokenCookieValidator = async (
             });
         }
 
+        const access_token = req.headers.authorization?.split(" ")[1];
+        const decoded_access_token = jwt.verify(
+            access_token as string,
+            process.env.JWT_SECRET_ACCESS_TOKEN as string,
+            {
+                ignoreExpiration: true,
+            },
+        ) as TokenPayload;
+
+        if (decoded_access_token.user_id !== decoded_refresh_token.user_id) {
+            next(
+                new ErrorWithStatus({
+                    message: USER_MESSAGES.REFRESH_TOKEN_NOT_VALID,
+                    status: HTTP_STATUS.UNAUTHORIZED,
+                }),
+            );
+        }
+
         req.decoded_refresh_token = decoded_refresh_token;
     } catch (error) {
         if (error instanceof JsonWebTokenError) {
+            if (error.message === "jwt expired") {
+                res.clearCookie("refresh_token");
+                await databaseService.refreshTokens.deleteOne({
+                    token: value,
+                });
+                next(
+                    new ErrorWithStatus({
+                        message: capitalize(
+                            (error as JsonWebTokenError).message,
+                        ),
+                        status: HTTP_STATUS.UNAUTHORIZED,
+                    }),
+                );
+            }
             next(
                 new ErrorWithStatus({
                     message: capitalize((error as JsonWebTokenError).message),
diff --git a/src/modules/user/user.routes.ts b/src/modules/user/user.routes.ts
index cc39197..c6e5c89 100644
--- a/src/modules/user/user.routes.ts
+++ b/src/modules/user/user.routes.ts
@@ -230,16 +230,15 @@ usersRouter.post(
 usersRouter.post(
     "/logout",
     accessTokenValidator,
-    refreshTokenCookieValidator,
+    wrapAsync(refreshTokenCookieValidator),
     wrapAsync(logoutController),
 );
 
 usersRouter.post(
     "/refresh-token",
-    refreshTokenCookieValidator,
+    wrapAsync(refreshTokenCookieValidator),
     wrapAsync(refreshTokenController),
 );
-
 usersRouter.post(
     "/block",
     accessTokenValidator,